Icann Files Suit in Germany in Bid to Clarify GDPR

Internet oversight body Icann has filed a one-sided lawsuit in Germany in a bid to clarify its GDPR obligations, after clashes with European regulators.

Icann is taking action after EPAG, part of the Tucows group, decided to no longer collect “administrative and technical contact information” for the Whois database as it believes it would conflict with the new privacy legislation.

However, failing to do so breaks the terms of Icann’s recently created Temporary Specification.

Although the oversight body believes the new rules comply with the GDPR, Tucows disagrees, claiming it breaks the principle of data minimization if it means the registry is required “to store and process personal data belonging to people with whom we have no legal or contractual relationship.”

There are also issues with Icann’s requirement that registrars send all data collected to the relevant registry as it contravenes the principle of data use only when a legitimate legal basis applies, Tucows said.

“Icann has also required that we continue to publish the organization, state/province, and country fields in the public Whois. We disagree that the organization should be published because, although it is optional, many people do not realize this and put their own first and last names in the organization field,” Tucows added. “We do not want to expose the personal data of these registrants because of a misunderstanding, and it will take considerable time to educate registrants and cleanse this data from the field.”

For Icann and the US government, this is a serious matter as they believe Whois data is a critical resource for law enforcers and IP rights holders and one which should be kept intact.

That sets Washington yet again on a collision course with Brussels.

It should also be mentioned that Icann’s one-sided filing should help to stay any further GDPR-related legal action against the body until a decision is made.

Andy Kays, CTO of Redscan, argued that Whois can be an invaluable resource in helping to track down phishers and spammers.

“An accreditation scheme, that would vet access to personal data in Whois records for special interest groups such as the police, security researchers and journalists, would certainly be very welcome and help to address concerns,” he added. “Planning to implement such a vetting system should have started years ago but by only recently attempting to outline its proposals, Icann shows that it has been too slow to react to the global impact of the GDPR.”

What’s Hot on Infosecurity Magazine?